U.S. Telcos Have Never Challenged NSA Demands for Your Metadata

Since at least 2006 a secret spy court has continuously compelled the nation’s carriers to hand over records of every telephone call made to, from, or within the United States.

But none of the phone companies have ever challenged the orders in court, according to an August 29 opinion (.pdf) by the Foreign Intelligence Surveillance Court, which was declassified today.

“To this date, no holder of records who has received an Order to produce bulk telephony metadata has challenged the legality of such an Order,” reads the ruling. “Indeed, no recipient of any Section 215 Order has challenged the legality of such an Order, despite the explicit statutory mechanism for doing so.”

The FISC orders cited Section 215 of the Patriot Act to require phone companies like Verizon and AT&T to hand over the phone numbers of both parties involved in all calls, the international mobile subscriber identity (IMSI) number for mobile callers, calling card numbers used in the call, and the time and duration of the calls.

To be sure, any challenge to the surveillance program would have been done before the court in secret, and it’s unlikely one would have been successful.

That carriers willfully provided the metadata without blinking a legal eye, however, is cause for alarm, as the telcos appear to be the only ones so far with legal standing to make a challenge to the bulk collection orders. The Electronic Frontier Foundation, American Civil Liberties and others have brought challenges, but the legal fight on whether they have the right to sue remains undecided.

The bulk collection program came to public light in June, when the Guardian published a FISC order on the topic leaked to the media outlet by NSA whistleblower Edward Snowden.

The court declassified (.pdf) an opinion today in the wake of Snowden’s leaks.

“This Court is mindful that this matter comes before it at a time when unprecedented disclosures have been made about this and other highly-sensitive programs designed to obtain foreign intelligence information and carry out counterterrorism investigations. According to NSA Director Gen. Keith Alexander, the disclosures have caused ‘significant and irreversible damage to our nation,'” according to the opinion.

The metadata surveillance became lawful with a 2006 update to the Patriot Act. But it’s been reported that most major carriers were providing the NSA with bulk metadata voluntarily before then in the wake of the 2001 terror attacks.

So the Electronic Frontier Foundation sued the nation’s carriers. After a San Francisco federal judge refused to toss the lawsuit, Congress in 2008 passed legislation immunizing the telcos from ever being sued for forwarding customer data to the NSA.

“It’s disappointing that the telecoms did not stand up for their users,” Kurt Ospahl, an EFF staff attorney, said in a telephone interview.

The opinion declassified today spells out the court’s interpretation of why it is legal under the Patriot Act that all calling records can be forwarded to the NSA. It also notes that there is no adversarial process, meaning without a third-party challenger, the court relies solely on the government’s assertions. Every 90 days the court orders carriers to forward all calling metadata on a rolling basis.

“To ensure adherence to its Orders, this Court has the authority to oversee compliance … and requires the government to notify the Court in writing immediately concerning any instance of non-compliance. According to the government, in the prior authorization period there have been no compliance incidents,” the court wrote.

The telcos we contacted for this story did not return calls for comment or were not immediately prepared to comment.

A day after the Guardian‘s story, however, Verizon declined to acknowledge the program but also said it was just following orders.

“Verizon continually takes steps to safeguard its customers’ privacy. Nevertheless, the law authorizes the federal courts to order a company to provide information in certain circumstances, and if Verizon were to receive such an order, we would be required to comply,” Randy Milch, Verizon’s general counsel, said in a letter to employees.

On the other hand, tech companies have been pushing for transparency. They are demanding the NSA allow them to be more transparent about what type of customer data they are secretly required to share with the NSA.